2 1 EP B1 2 Description FIELD OF THE INVENTION [0001] The invention relates generally to the field of cryptography and, more particularly, to systems and methods for generating random numbers and initial vectors. BACKGROUND OF THE INVENTION [0002] Cryptography involves encoding and decoding information so that only authorized persons can access the information. For example, a data file that contains sensitive financial information may need to be encrypted to prevent unauthorized persons from accessing the financial information. The data file may be encrypted before it is stored in a data storage device and/or before it is transmitted over a data network. [0003] Typically, data is encrypted using a cipher algorithm and an encryption key. In addition, some cipher algorithms combine data to be encrypted with an initial vector to increase the randomness of the encrypted data. Data encrypted in this way is then decrypted using the cipher algorithm, a decryption key and the initial vector. [0004] Several cipher algorithms have been developed for encrypting and decrypting data. Common cryptography standards include Data Encryption Standard ("DES"), triple DES ("3DES") and Advanced Encryption Standard ("AES"). [000] Several standards have been developed to secure data transmission over data networks. For example, the Internet Security Protocol (commonly referred to as "IPsec") may be used to establish secure host-to-host pipes and virtual private networks over the Internet. IPsec defines a set of specifications for cryptographic encryption and authentication. [0006] In general, cipher algorithms are relatively complex and upon execution consume a significant amount of processing power. To offload encryption/decryption processing from a host processor, dedicated hardware devices, commonly referred to as cryptographic accelerators, may be used to perform the cipher algorithms. [0007] Moreover, some cryptographic standards such as IPsec encourage or require that the initial vectors be true random numbers. In practice, some systems that support IPsec operate at very high data rates (e.g., data transfer rates on the order of 1 gigabit per second). However, it may be difficult to generate random numbers quickly enough to support these high data rates. Some conventional systems attempt to generate random numbers at higher rates by using faster sampling rates. However, this approach may adversely affect the randomness of the generated number. Accordingly, a need exists for improved initial vector generation techniques. [0008] US,732,138 describes a method for generating pseudo random-numbers, wherein the state of a chaotic system is digitized to form a binary string. This binary string is hashed to produce a second binary string which is used to seed a pseudo random number generator. The output of the pseudo random number generator may be used in forming a password or cryptographic key for use in a security system. [0009] According to the invention, there are provided a method of generating random numbers as defined by independent claim 1 and a parallel random number generator as defined by independent claim 4. [00] Further advantageous features of the invention are defined in the dependent subclaims. [0011] The invention relates to methods and associated systems for generating random numbers and initial vectors. [0012] One embodiment of the invention uses pseudo random number generators to generate random numbers. A random number generator generates random numbers that are used to repetitively seed the pseudo random number generators. This technique improves the number distribution of the pseudo random number generators so that each of the pseudo random number generators generates a random number. Thus, a single random number generator may be used to simultaneously generate several random numbers. Significantly, this is accomplished without compromising the randomness of the random numbers generated by the random number generator. [0013] In one embodiment of the invention the random numbers generated by the pseudo random number generators are used as initial vectors in encryption engines. [0014] In one embodiment of the invention the pseudo random number generators comprise linear feedback shift registers. [00] One embodiment of the invention comprises a random bit generator and a round robin distribution circuit for distributing random bits to the pseudo random number generators. BRIEF DESCRIPTION OF THE DRAWINGS [0016] These and other features, aspects and advantages of the present invention will be more fully understood when considered with respect to the following detailed description, appended claims and accompanying drawings, wherein: Figure 1 is a block diagram of one embodiment of a random number generator constructed in accordance with the invention; Figure 2 is a block diagram of one embodiment of a cryptographic system constructed in accordance with the invention; Figure 3 is a flowchart representative of one embodiment of operations that may be performed in accordance with the embodiment of Figure 2; Figure 4 is a block diagram of one embodiment of an initial vector generator constructed in accordance with the invention; and 2

3 3 EP B1 4 Figure is a block diagram of one embodiment of a cryptographic system in a packet data network, constructed in accordance with the invention. DETAILED DESCRIPTION OF THE INVENTION [0017] The invention is described below, with reference to detailed illustrative embodiments. It will be apparent that the invention can be embodied in a wide variety of forms, some of which may be quite different from those of the disclosed embodiments. Consequently, the specific structural and functional details disclosed herein are merely representative and do not limit the scope of the invention. [0018] Figure 1 is a block diagram of one embodiment of a parallel random number generator R constructed in accordance with the invention. A random number generator 0 generates random numbers that seed several pseudo random number generators (e.g., 2A and 2B) which, in turn, may generate random numbers in parallel. As represented by the random number distribution circuit 4, the random number may be distributed to the pseudo random number generators 2A and 2B in a variety of ways. [0019] The pseudo random number generators 2A and 2B include inputs for seeding the computation of the pseudo random numbers. For example, a simple pseudo random number generator may have a number generation algorithm of x(n+1) = x(n) 4 + x(n) + 1. Thus, in normal operation the next output (x(n+1)) of the pseudo random number generator is based on the current output (x(n)). When the pseudo random number generator is reseeded, however, the seed is used to generate the next output. For example, x(n+1) = seed 4 + seed + 1. In other words, as a random number is received by each pseudo random number generator 2A and 2B, the pseudo random number computation is affected by the random number. [00] In one embodiment of the invention the random number generator 0 continuously generates random numbers. Thus, the pseudo random number generators 2A and 2B may be continuously re-seeded. In particular, the pseudo random number generators 2A and 2B may be re-seeded before their number generation algorithms repeat (i.e., before the generators generate a number a second time). [0021] Typically, the pseudo random number generators 2A and 2B are free running. That is, they continuously generate random numbers. Significantly, by generating random numbers using as many parallel pseudo random number generators as is needed for a particular application, this aspect of the invention provides a mechanism for generating a relatively large number of random numbers at a relatively high rate of speed. [0022] As discussed in more detail below, this technique is particularly advantageous when used to generate initial vectors for encryption algorithms [0023] Figure 2 is a block diagram of one embodiment of a cryptographic system S constructed in accordance with the invention. A random number generator 0 generates random numbers that seed linear feedback shift registers 2A and 2B in several security processors 4A and 4B. The linear feedback shift registers 2A and 2B generate initial vectors (e.g., random numbers) for cipher engines (partially represented by ciphers 6A, 6B and multiplexers 212A, 212B) in the security processors 4A and 4B. Thus, in this embodiment pseudo random number generators are implemented as linear feedback shift registers 2A and 2B. A random number distribution circuit 8 distributes the random numbers to the security processors 4A and 4B. [0024] The operation of the system S of Figure 2 will be treated in more detail in conjunction with the flowchart depicted in Figure 3. The blocks and lines 2 through 8 beginning at block 0 represent the process of continuously seeding the linear feedback shift registers 2A and 2B with random numbers. The blocks and lines 3 through 316 beginning at block 0A represent the process of continuously encrypting packets using unique initial vectors generated for each packet. [002] As represented by block 2, the random number generator 0 continuously generates random numbers. The random number generator 0 is a true random number generator. For example, it may be implemented in an integrated circuit and generate numbers based on noise signals. [0026] As represented by block 4, the random number distribution circuit 8 distributes the random number to pseudo random number generators (e.g., the linear feedback shift registers 2A and 2B). [0027] In one embodiment of the invention, the random number generator 0 generates a stream of random data bits. In this case, the random number distribution circuit 8 may distribute these data bits in a round robin manner to the security processors 4A and 4B. For example, in one embodiment the random number distribution circuit 8 alternately routes each random data bit to one of the registers 2A, 2B in the security processors 4A, 4B. The registers then, in effect, assemble the bits into an appropriate word width to seed the linear feedback shift registers 2A, 2B. [0028] An example of this embodiment is depicted in Figure 4. Figure 4 depicts a system including a security processor 412 that incorporates two free running 64 bit linear feedback shift registers to generate 128 bits of data required for AES-CBC encryption. [0029] In Figure 4 a random bit generator 0 distributes some of the random data bits to a 32 bit shift register 2 in the security processor 412. For example, each of eight security processors (not shown) may receive one bit for every eight bits generated by the random bit generator 0. An adder 4 adds the 32 bit random number output of the shift register 2 to a 32 bit word (0xAAAA) 6 to reduce the probability that the input to the linear feedback shift registers will be zero. 3

4 EP B1 6 [00] A multiplexer 8 distributes the data bits from the 32 bit random number to the seed inputs of linear feedback shift registers 4A and 4B. In this embodiment, the multiplexer 8 is used to re-seed the most significant word of each of the 64 bit linear feedback shift registers in a round robin fashion each time 32 bits of data are detected in the shift register 2. [0031] The width of the initial vector may depend on the type of encryption. For example, in a block cipher the width of the initial vector may equal the width of a block. In one embodiment, when DES encryption is activated the initial vector is 64 bits and, alternatively, when AES is activated the initial vector is 128 bits. Thus, for 3DES and DES the initial vector may be constructed using WORD2 and WORD0 from the two 64 bit linear feedback shift registers 4A and 4B. For AES the initial vector may be constructed using WORD3, WORD2, WORD1 and WORD0 from the two 64 bit linear feedback shift registers 4A and 4B. [0032] This implementation of a random number generator helps to ensure that the initial vectors are picked at random as often as possible for each packet. In addition, this implementation of free running linear feedback shift registers helps to ensure that back to back packets have initial vectors with a relatively high Hamming distance as recommended for IPsec. [0033] This embodiment may be used to support encryption at relatively high data rates. For example, one embodiment of the invention uses a random bit generator operating at 2 million bits per second ("2 Mbits/s") in conjunction with eight security processors, each of which provides cryptographic processing at 600 Mbits/s. In this case, using 64 bit linear feedback shift registers the linear feedback shift registers are re-seeded every 26 random bits. It should be noted, however, that the linear feedback shift registers typically are "clocked" every clock cycle (e.g., at a 600 Mbit/s rate). [0034] To ensure that the pseudo random number generators do not repeat before they are re-seeded, it is important to select proper polynomials for the pseudo random number generators. For example, for a 64 bit linear feedback shift register, a polynomial on the order of 2 64 typically may be used. In one embodiment, the polynomial for the first linear feedback shift register is x 64 + x 4 + x 3 + x + 1 and the polynomial for the second linear feedback shift register is x 6 + x [003] Referring again to the process in Figure 3, as represented by block 6, the random numbers in the registers 2A and 2B (Figure 2) are used to seed the linear feedback shift registers 2A and 2B. [0036] The linear feedback shift registers 2A and 2B generate initial vectors (block 3) that are used by cipher engines to encrypt data (block 312). For example, when a new packet is to be encrypted, a multiplexer 212A adds the initial vector to unencrypted data received over line 214A. A cipher 6A (e.g., a block cipher) encrypts a portion of the data and outputs it over line 216A (block 314). In addition, the encrypted data is fed back to the multiplexer 212A so it may be subsequently added to the unencrypted data in place of the initial vector. [0037] As represented by the line 316, this operation repeats as necessary to encrypt the incoming data stream. In this embodiment, as each new packet is to be encrypted, a new initial vector is added to the data to improve the randomness of the encrypted data. To this end, the linear feedback shift registers 2A and 2B continuously generate new initial vectors. [0038] To maintain the randomness of the initial vectors, as represented by the line 8, the linear feedback shift registers 2A and 2B are continuously re-seeded with random numbers. In particular, in accordance with one embodiment of the invention, the linear feedback shift registers are re-seeded on a per-packet basis. [0039] In one embodiment, all of the components in the system S of Figure 2 are implemented in a cryptographic accelerator integrated circuit. For example, the cryptographic accelerator may incorporate four, eight or more security processors. Such a device may be used, for example, to offload cryptographic computations from a host processor as depicted in Figure. [00] In Figure, host processors 00A and 00B connected to a data network 02 send messages to one another via network controller / packet processor components 04A and 04B. When one host processor sends secured data (e.g., per the IPsec standard) to the other host processor they may use cryptographic accelerators 06A and 06B to encrypt and decrypt the associated data packets. For example, a host processor (e.g., 00A) initially sends unencrypted packets to a cryptographic accelerator (e.g., 06A). The cryptographic accelerator includes cipher engines (e.g., A) that encrypt the packets. The cryptographic accelerator 06A may then send the encrypted packets over the network 02 or it may send the encrypted packets back to the host processor 00A and the host processor sends the encrypted packets over the network 02. In accordance with one embodiment of the invention, the cryptographic accelerators 06A and 06B may incorporate initial vector generators 08A and 08B as discussed herein. [0041] It should be appreciated that the inventions described herein are applicable to and may utilize many different protocols and standards and modifications and extensions of those protocols and standards including, for example and without limitation, IPsec, SSL and FCsec. Moreover, a variety of cryptographic algorithms and modifications and extensions thereof may be used including, for example and without limitation, DES, 3DES and AES. [0042] A variety of pseudo random number generators and associated algorithms may be used in implementing the inventions described herein. For example, different linear feedback algorithms and cyclic redundancy check ("CRC") algorithms may be used. In addition, the pseudo random number generators may be implemented using hashing techniques such as SHA-1and MD. [0043] The pseudo random number generators may 4

5 7 EP B1 8 be seeded in several different ways. For example, the pseudo random number generators may be free running, i.e., they are continuously clocked. Alternatively, the pseudo random number generators may be clocked every time a new packet arrives. [0044] It should also be appreciated that the inventions described herein may be constructed using a variety of physical components and configurations. For example, a variety of hardware and software processing components may be used to implement the functions and components described herein. These functions and components may be combined on one or more integrated circuits. [004] In addition, the components and functions described herein may be connected in many different ways. Some of the connections represented by the lead lines in the drawings may be in an integrated circuit, on a circuit board, over a backplane to other circuit boards, over a local network and/or over a wide area network (e.g., the Internet). [0046] A wide variety of devices may be used to implement the data memories discussed herein. For example, a data memory may comprise one or more RAM, disk drive, SDRAM, FLASH or other types of data storage devices. [0047] The invention may be practiced using different types of cipher engines. For example, a stream cipher may be used rather than a block cipher. [0048] Distribution of random numbers to the pseudo random number generators may be accomplished in a variety of ways. For example, the numbers may be distributed a bit at a time or a word at a time. Here, different word widths may be used depending on the particular application. [0049] The random numbers also may be distributed using a variety of hardware and software techniques. For example, relatively simple signal lines and/or busses and/or associated registers may be used to distribute the random numbers. In addition, packet routing techniques may be used to route the random numbers and/or bits between various components in a system or an integrated circuit. [000] In summary, the invention described herein teaches improved techniques for generating random numbers and initial vectors. While certain exemplary embodiments have been described in detail and shown in the accompanying drawings, it is to be understood that such embodiments are merely illustrative of and not restrictive of the broad invention. It will thus be recognized that various modifications may be made to the illustrated and other embodiments of the invention described above, without departing from the broad inventive scope thereof. In view of the above it will be understood that the invention is not limited to the particular embodiments or arrangements disclosed, but is rather intended to cover any changes, adaptations or modifications which are within the scope of the invention as defined by the appended claims Claims 1. A method of generating random numbers, comprising: generating (2) at least one random number; distributing (4) the at least one random number to a plurality of pseudo random number generators (1 02A, 2B), where distributing comprises adding a predetermined number to the at least one random number to reduce the probability that the input to the plurality of pseudo random number generators (2A, 2B) will be zero; repetitively seeding (6) the plurality of pseudo random number generators (2A, 2B) with the at least one random number, such that the number distribution of the pseudo random number generators (1 02A, 2B) is improved; simultaneously generating several random numbers using the pseudo random number generators (2A, 2B) for generating a relatively large number of random numbers at a relatively high rate of speed, without compromising the randomness of the random numbers generated by the random number generator; generating (3) a plurality of initial vectors using the several random numbers; and using the initial vectors in encryption engines. 2. The method of claim 1 wherein the plurality of pseudo random number generators (2A, 2B) comprise a plurality of linear feedback shift registers. 3. The method of claim 1 or 2 wherein the pseudo random number generators (2A, 2B) may be reseeded before their number generation algorithms repeat. 4. A parallel random number generator, comprising: at least one random number generator (0) for generating at least one random number; and a plurality of parallel pseudo random number generators (2A, 2B), connected to receive the at least one random number, a distribution circuit (4) adapted to distribute the at least one random number to the plurality of pseudo random number generators (2A, 2B), an adder adapted to add a predetermined number to the at least one random number to reduce the probability that the input to the plurality of pseudo random number generators (2A, 2B) will be zero; wherein the plurality of parallel pseudo random number generators (2A, 2B) is adapted to be repetitively seeded with the at least one ran-

6 9 EP B1 dom number, such that the number distribution of the pseudo random number generators (2A, 2B) is improved; for simultaneously generating a plurality of random numbers in parallel for generating a relatively large number of random numbers at a relatively high rate of speed, without compromising the randomness of the random numbers generated by the random number generator.. The parallel random number generator of claim 4 wherein the plurality of parallel pseudo random number generators (2A, 2B) comprise a plurality of linear feedback shift registers. 6. The parallel random number generator of claim 4 or wherein the pseudo random number generators (2A, 2B) may be free running or may be clocked every time a new packet arrives. 7. The method of claim 2 wherein: the step of generating at least one random number comprises generating random data bits by a random bit generator; the step of distributing the at least one random number to a plurality of pseudo random number generators (2A, 2B) comprises distributing some of the random data bits to a shift register of predetermined width; the method further comprising: adding the random number output of the shift register to a word of corresponding width to reduce the probability that the input to the linear feedback shift registers will be zero; distributing the random data bits from the random number to the seed inputs of a plurality of linear feedback shift registers of predetermined width by a multiplexer, wherein the width of the linear feedback shift registers and the initial vector generated at the outputs of the linear feedback shift registers may depend on the type of encryption; using the multiplexer to re-seed at least a part of each of the linear feedback shift registers in a round robin fashion each time a predetermined number of bits of data are detected in the shift register, such that the random number generator (0) helps to ensure that the initial vectors are picked at random as often as possible for each packet; wherein the linear feedback shift registers are free running helping to ensure that back to back packets have initial vectors with a relatively high Hamming distance The method of claim 2 or 7 wherein the several random numbers are used to seed the plurality of linear feedback shift registers; further comprising the steps of: using the linear feedback shift registers to generate the initial vectors used by the cipher engines to encrypt data; adding the initial vectors to unencrypted data by a plurality of multiplexers; encrypting portions of the unencrypted data by a plurality of ciphers; outputting the encrypted data; feeding back the encrypted data to the plurality of multiplexers such that the encrypted data may be subsequently added to the unencrypted data in place of the initial vectors; continuously re-seeding the linear feedback shift registers with random numbers; continuously generating new initial vectors by the plurality of linear feedback shift registers to maintain the randomness of the initial vectors; adding the new initial vectors to the unencrypted data to improve the randomness of the encrypted data; repeating the prior steps as often as necessary to encrypt the incoming streams of unencrypted data. 9. The parallel random number generator of claim, wherein the random number generator is adapted to generate a stream of random data bits, wherein the distribution circuit (4) adapted to distribute these data bits in a round robin manner, and to alternately route each random data bit to one of a plurality of registers, wherein the registers are adapted to assemble the data bits into an appropriate word width to seed the plurality of linear feedback shift registers.. The method of claim 8 wherein the plurality of linear feedback shift registers are re-seeded on a per-packet basis. 11. The parallel random number generator of any of claims 4-6 or 9 comprising: at least one random bit generator for generating a plurality of random bits; at least one register, connected to receive the random bits, for storing the at least one random number; and wherein the plurality of pseudo random number generators (2A, 2B) is connected to receive the at least one random number for generating a plurality of initial vectors. 12. The parallel random number generator of any of 6

16 EP B1 REFERENCES CITED IN THE DESCRIPTION This list of references cited by the applicant is for the reader s convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard. Patent documents cited in the description US A [0008] 16

p^db=`oj===pìééçêíáåñçêã~íáçå= Error: "Could not connect to the SQL Server Instance" or "Failed to open a connection to the database." When you attempt to launch ACT! by Sage or ACT by Sage Premium for

Application of EN ISO 13849-1 in electro-pneumatic control systems Hazards and measures against hazards by implementation of safe pneumatic circuits These examples of switching circuits are offered free

Name: AP Deutsch Sommerpaket 2014 The AP German exam is designed to test your language proficiency your ability to use the German language to speak, listen, read and write. All the grammar concepts and

This press release is approved for publication. Press Release Chemnitz, February 6 th, 2014 Customer-specific software for autonomous driving and driver assistance (ADAS) With the new product line Baselabs

p^db=`oj===pìééçêíáåñçêã~íáçå= How to Disable User Account Control (UAC) in Windows Vista You are attempting to install or uninstall ACT! when Windows does not allow you access to needed files or folders.

Filing system designer FileDirector Version 2.5 Novelties FileDirector offers an easy way to design the filing system in WinClient. The filing system provides an Explorer-like structure in WinClient. The

Advanced Availability Transfer Transfer absences from HR to PPM A PLM Consulting Solution Public Advanced Availability Transfer With this solution you can include individual absences and attendances from

Kuhnke Technical Data The following page(s) are extracted from multi-page Kuhnke product catalogues or CDROMs and any page number shown is relevant to the original document. The PDF sheets here may have

0 Corporate Digital Learning, How to Get It Right Learning Café Online Educa Berlin, 3 December 2015 Key Questions 1 1. 1. What is the unique proposition of digital learning? 2. 2. What is the right digital

Diss. ETH No. 12075 Group and Session Management for Collaborative Applications A dissertation submitted to the SWISS FEDERAL INSTITUTE OF TECHNOLOGY ZÜRICH for the degree of Doctor of Technical Seiences

Version: 00; Status: E Seite: 1/6 This document is drawn to show the functions of the project portal developed by Ingenics AG. To use the portal enter the following URL in your Browser: https://projectportal.ingenics.de

How-To-Do Hardware Configuration of the CPU 317NET with external CPs on the SPEED Bus by SIMATIC Manager from Siemens Content Hardware Configuration of the CPU 317NET with external CPs on the SPEED Bus

Lexware Warenwirtschaft Pro XV1100K(C)/XV1100SK(C) All rights reserverd. Any reprinting or unauthorized use wihout the written permission of Lexware Warenwirtschaft Pro Corporation, is expressly prohibited.

CABLE TESTER Manual DN-14003 Note: Please read and learn safety instructions before use or maintain the equipment This cable tester can t test any electrified product. 9V reduplicated battery is used in

Exercise (Part II) Notes: The exercise is based on Microsoft Dynamics CRM Online. For all screenshots: Copyright Microsoft Corporation. The sign ## is you personal number to be used in all exercises. All

The Single Point Entry Computer for the Dry End The master computer system was developed to optimize the production process of a corrugator. All entries are made at the master computer thus error sources

Exercise (Part XI) Notes: The exercise is based on Microsoft Dynamics CRM Online. For all screenshots: Copyright Microsoft Corporation. The sign ## is you personal number to be used in all exercises. All

Diss. ETH No. 16589 Efficient Design Space Exploration for Embedded Systems A dissertation submitted to the SWISS FEDERAL INSTITUTE OF TECHNOLOGY ZURICH for the degree of Doctor of Sciences presented by

Prediction Market, 28th July 2012 Information and Instructions S. 1 Welcome, and thanks for your participation Sensational prices are waiting for you 1000 Euro in amazon vouchers: The winner has the chance

USBASIC SAFETY IN NUMBERS #1.Current Normalisation Ropes Courses and Ropes Course Elements can conform to one or more of the following European Norms: -EN 362 Carabiner Norm -EN 795B Connector Norm -EN

Umrüstung von SMA Wechselrichtern nach SysStabV Bernd Lamskemper Disclaimer IMPORTANT LEGAL NOTICE This presentation does not constitute or form part of, and should not be construed as, an offer or invitation

SAP PPM Enhanced Field and Tab Control A PPM Consulting Solution Public Enhanced Field and Tab Control Enhanced Field and Tab Control gives you the opportunity to control your fields of items and decision

The projectivity of the moduli space of stable curves. I: Preliminaries on "det"... Knudsen, Finn; Mumford, David pp. 19-55 Terms and Conditions The Göttingen State and University Library provides access